Nomi's business model involves working with retail outlets to install sensors in their stores. As a customer walks in, these sensors fetch a phone's MAC address, which is broadcast broadcast via Wi-Fi, and begin to track it. You can see where this is going. With information in-hand, Nomi is able to tell these retailers about a couple of different things: how long the customer stayed in the store, and how often they visit. I would not be surprised of the retails gained information on other stores the customer went to.
If there's a fortunate part of all this, it's that customers don't seem to have been tracked on that personal of a level. Nomi and these retailers didn't know who these customers were; they only knew their smartphone (and it's not clear if retailers are able to detect whether or not a previous customer has reentered the store as it happens). Still, despite all that, this is a gross privacy violation, and one that the FTC apparently won't put up with.
The biggest flaw with Nomi's operation is that its opt-out methods were useless. If someone doesn't even realize they're being tracked, how are they going to know about an opt-out mechanism? While this tracking system was in place, Nomi had data on over 9 million phones.